Sr Information Security Analyst II - IT

Minimum Education

Bachelor's degree or equivalent experience

Minimum Experience

6

Summary

Oversees and/or participates in designing and implementing security measures to meet the needs of the organization’s IT systems. Develops an expert understanding of system architecture and the ability to design security solutions that can be applied to multiple systems. Uses data analytics to identify potential security risks and make data-driven decisions about how to improve security across the organization. Oversees collaboration with other cybersecurity professionals to develop and implement security solutions that can withstand potential threats. With limited guidance, provides technical and analytical information security support to ensure Board information and systems are adequately protected.

Duties and Responsibilities

• Oversees and/or participates in implementing risk management and continuous monitoring activities for technology portfolios. Utilizes expert knowledge of risk management principles to evaluate and mitigate potential risks and identify emerging risks using established frameworks and guidelines. Oversees the assessment of the causes and sources of risk, the impacts, and the probability of occurrence.
• With limited guidance, proactively supports planning and implementation of the cybersecurity initiative, such as Cybersecurity Executive Order directives including Zero Trust Architecture.
• Oversees coordination with leadership to create and communicate plans (action, operating, automation, strategic plans), options, approaches, and roadmaps to ensure continuous service and process improvement.
• Defines, designs, and/or develops new policies and procedures to address cybersecurity and operational risk and advises senior management on resilience, information technology, and critical infrastructure. With limited guidance, improves upon business processes by employing a systematic approach of evaluating and optimizing underlying processes.
• Utilizes expert knowledge of and adherence to applicable governing standards to work closely with the Division of IT security teams to support compliance with the Board Information Security Program (BISP).
• Oversees and/or facilitates the initiation and completion of all security assessments and meeting agreed upon schedules by the supported divisions and certifying agents.
• With limited guidance, provides premier IT and business consulting support to provide expert recommendations and function as a trusted advisor to clients and stakeholders. May include subject matter expertise of IT systems, strategic planning, researching new and emerging technologies, evaluating proposed IT solutions, supporting IT procurement activities, and briefing leadership.
• Oversees initiatives and/or works with clients and vendors to implement information system security lifecycle plans in compliance with applicable security statutes and regulations.
• With limited guidance, works on project team to implement and measure the effect of complex security, data loss prevention and privacy strategies. Effectively plans, prioritizes, and executes assignments and work activities with minimal supervision.
• Utilizes expert knowledge of system security standards, best practices, trends, preventative measures, and disaster recovery processes to verify the effectiveness of the security controls protecting systems, which may entail developing and implementing test scripts and running security scans. Recommends and may decide on security enhancements.
• Oversees and/or develops techniques and procedures for conducting cybersecurity risk assessments and compliance audits and evaluating and testing hardware, firmware, and software. Oversees more junior staff and/or enhances techniques and procedures for conducting cybersecurity risk assessments and compliance audits and evaluating and testing hardware, firmware, and software. Coaches more junior staff and/or conducts cybersecurity risk assessments and compliance audits and evaluating and testing hardware, firmware, and software. Applies expert understanding of the implications and impact of provisioning unnecessary access within systems.
• Oversees the process for designing reporting dashboards and creating data visualizations and reports for a variety of audiences. Defines controls and reporting processes as needed to meet the Board’s information security requirements. Effectively communicates technical terms to provide guidance and/or summarize complex data and information in a succinct and compelling manner. Highly skilled in developing written and oral communication to articulate technical concepts, ideas, and recommendations to various audiences. Support ad-hoc information security initiatives and special assignments.

Position Requirements

FR-27 Minimal Qualifications

Requires a bachelor's degree in information technology (IT), computer science, cybersecurity, auditing, accounting, business administration and 6 years related experience or a master’s degree in a related field and 4 years of related experience. Must have expert knowledge in the following areas: business process improvement, risk management, system security, system design, information security, security standards, compliance, and project management. Must be able to work effectively with staff. Must be able to direct one or more of the following: designing security systems, investigating and resolving security breaches, consulting, technical writing, and communication.

FR-28 Minimal Qualifications

Requires a bachelor's degree in information technology (IT), computer science, cybersecurity, auditing, accounting, business administration and 8 years related experience or a master’s degree in a related field and 5 years of related experience. Must have expert knowledge in the following areas: business process improvement, risk management, system security, system design, information security, security standards, compliance, and project management. Must be able to work effectively with staff. Must be able to direct one or more of the following: designing security systems, investigating and resolving security breaches, consulting, technical writing, and communication.

Remarks: The Principal Information Security Analyst is a senior individual contributor responsible for ensuring compliance with internal and external information security requirements at the Board. Applicants must possess a comprehensive and deep understanding of federal cybersecurity regulations including the NIST Risk Management Framework, NIST Cybersecurity Framework, and NIST AI Risk Management Framework. The Principal Information Security Analyst evaluates complex IT systems, identifies weaknesses, and effectively communicates processes and results to stakeholders. The Principal Information Security Analyst coordinates with stakeholders to effectively manage both internal and external audits. The Principal Information Security Analyst identifies, assess, and prioritizes risks for information systems, vendors, and security programs.

Highly Desirable:

· Ability to conduct the technical evaluation and interpret technical findings of security controls for IT systems against established frameworks.

· Expert knowledge of the following: NIST CSF, NIST RMF, NIST SP 800-53 series, NIST SP 800 series, NIST SP 1800 series, NIST SP 500 series, NIST FIPS, NIST AI RMF, FedRAMP 20x, and others.

· The successful candidate must be able to bridge technical and compliance domains, understand both how security technologies work (firewalls, encryption, access controls, etc.) and be able to validate their effectiveness against regulatory and/or contractual requirements.

· The successful candidate will be required to provide on the job training to junior staff, work with auditors, , translate complex security concepts for non-technical stakeholders, and make risk-based recommendations for control improvements and/ or remediation priorities. Expert knowledge in the following areas is highly desirable: governance process development ; risk management; System Development Life Cycle Management (SDLC); supply chain risk management; cloud security principles; and AI/ML security principles.

· Ability to plan, schedule, control, and conduct various activities and projects simultaneously and act independently within areas of responsibility.

· Excellent written and oral communication.

· Demonstrated ability to innovate and utilize critical thinking skills to recommend solutions for complex compliance matters.

· Ability to work on multiple tasks that involve a high degree of critical thinking and analytical skills.

Preferred but not required:

· Understanding of security-as-code principles and DevSecOps methodologies for integrating security throughout the software development lifecycle.

· Experience implementing agile methodologies (Scrum, Kanban) and utilizing tools (Jira) for workflow tracking and team collaboration.

· Knowledge of supply chain risks and quantum-resistant cryptography from a compliance perspective.

· Knowledge of Software Bill of Materials (SBOM) practices.

 

Certifications (preferred but not required):

· Certified Information Systems Auditor (CISA)

· Certified Information Systems Security Professional (CISSP)

· Certified Information Security Manager (CISM)

 

US Citizenship is required. This position requires an in-office presence in Washington, DC.